[Bug 1945710] New: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Bug ID: 1945710 Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, ataylor@redhat.com, bibryam@redhat.com, bmontgom@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, eric.wittmann@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, jburrell@redhat.com, jjohnstn@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jross@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, lhh@redhat.com, lpeer@redhat.com, mat.booth@gmail.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, nstielau@redhat.com, pantinor@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, swoodman@redhat.com, tzimanyi@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1945711
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1945711 [Bug 1945711] CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1945711]
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1945716
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.4.39, jetty 10.0.2, | |jetty 11.0.2
--- Doc Text *updated* --- If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #2 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #3 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1947811, 1947810
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |proguski@redhat.com Flags| |needinfo?(proguski@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #6 from Mark Cooper mcooper@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|akoufoud@redhat.com, | |alazarot@redhat.com, | |almorale@redhat.com, | |anstephe@redhat.com, | |etirelli@redhat.com, | |ibek@redhat.com, | |jstastny@redhat.com, | |krathod@redhat.com, | |kverlaen@redhat.com, | |mnovotny@redhat.com, | |pjindal@redhat.com, | |rrajasek@redhat.com, | |tzimanyi@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(proguski@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #9 from Przemyslaw Roguski proguski@redhat.com --- Upstream patch: https://github.com/eclipse/jetty.project/commit/37fffb1722604da1763d8a096ec5...
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #10 from Anten Skrabec askrabec@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #11 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #12 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952063, 1952064
https://bugzilla.redhat.com/show_bug.cgi?id=1945710 Bug 1945710 depends on bug 1945711, which changed state.
Bug 1945711 Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1945711
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Developer Tools
Via RHSA-2021:1509 https://access.redhat.com/errata/RHSA-2021:1509
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-05-06 20:33:58
--- Comment #18 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-28163
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.6.4
Via RHSA-2021:1560 https://access.redhat.com/errata/RHSA-2021:1560
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.7
Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.2
Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
David Hernández Fernández dahernan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1987180
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Adam Kaplan adam.kaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1972366
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1972366 [Bug 1972366] Bump jenkins version to 2.289.1
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.8.0
Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945710 Bug 1945710 depends on bug 1972366, which changed state.
Bug 1972366 Summary: Bump jenkins version to 2.289.1 https://bugzilla.redhat.com/show_bug.cgi?id=1972366
What |Removed |Added ---------------------------------------------------------------------------- Status|RELEASE_PENDING |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.9.0
Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHAF Camel-K 1.8
Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:6407
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com